b"  NATIONAL CREDIT UNION ADMINISTRATION\n      OFFICE OF INSPECTOR GENERAL\n\n\n                    OIG REPORT TO OMB ON THE\n              NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                       COMPLIANCE WITH THE\n                  FEDERAL INFORMATION SECURITY\n                        MANAGEMENT ACT\n                              2003\n\n               Report #OIG-03-07          September 12, 2003\n\n\n\n\n                               Herbert S. Yolles\n                              Inspector General\n\n\n   Released By:                             Auditor-in-Charge:\n\n\n\nWilliam A. DeSarno                          Tammy F. Rapp, CPA, CISA\nDeputy Inspector General for Audits         Sr. Information Technology Auditor\n\n\n\n\n                      LIMITED OFFICIAL USE ONLY\n\x0c      OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n   COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                              Report # OIG-03-07\n\n                                TABLE OF CONTENTS\n\n\n\n\nSection                                                                                  Page\n   I       Summary of Results                                                              1\n\n   II      Office of Management & Budget Report Format                                     3\n\n                  A. Overview of FISMA IT Security Reviews                                 3\n\n                  B. Responsibilities of Agency Head                                      5\n\n                  C. Responsibilities of Agency Program Officials and Agency Chief         7\n                     Information Officer\n\nExhibits\n   A       Independent Evaluation of the NCUA Information Security Program - 2003\n\n   B       NCUA Financial Statement Audits \xe2\x80\x93 2002\n                Executive Summary\n                Observations and Recommendations\n                Information Technology Detailed Observations\n\n           Note: Exhibits transmitted separately and restricted for official use only.\n\x0c          OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n       COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                                  Report # OIG-03-07\n\n                             I. SUMMARY OF RESULTS\n\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Cotton & Company LLP to conduct an independent evaluation of its\ninformation systems security program and controls for compliance with the Federal\nInformation Security Management Act (FISMA), Title III of the E-Government Act of\n2002, and Office of Management and Budget (OMB) Circular A-130, Appendix III.\n\nThe OMB issued Fiscal Year 2003 Guidance on Annual Information Technology\nSecurity Reports on August 7, 2003. This guidance provided clarification to agencies\nfor implementing, meeting, and reporting FISMA requirements to OMB and the\nCongress. This report contains a summary of our evaluation of the NCUA\xe2\x80\x99s information\nsecurity program and is presented in the OMB prescribed format.\n\nThe OIG issued two reports during the past year that reported on the testing of the\neffectiveness of information security and internal controls:\n\n   \xe2\x80\xa2     On March 31, 2003, the OIG issued the Financial Statement Audit Report for the\n         year ended December 31, 2002. The purpose of this audit was to express an\n         opinion on whether the financial statements were fairly presented. In addition,\n         the internal control structure was reviewed and an evaluation of compliance with\n         laws and regulations was performed as part of the audit. The result of this audit\n         was an unqualified opinion, stating that the financial statements were presented\n         fairly. Although there were no material weaknesses identified during the review\n         of the internal control structures pertinent to financial reporting, eight\n         recommendations were made relating to weaknesses in the area of information\n         security. Refer to Exhibit B for the Executive Summary, Observations and\n         Recommendations, and Detailed Information Technology Observations sections\n         of this report.\n\n   \xe2\x80\xa2     On September 12, 2003, the OIG issued a report containing an Independent\n         Evaluation of the NCUA\xe2\x80\x99s Information Security Program - 2003. The content of\n         the independent evaluation report supports the conclusions presented in this\n         report. Refer to Exhibit A for the complete independent evaluation.\n\nThe Chief Information Officer (CIO) is to be commended for the actions taken to\nimprove NCUA's information technology (IT) infrastructure. During FY2003, NCUA\naccomplished the following:\n\n         \xe2\x80\xa2     Completed certification of eight systems\n         \xe2\x80\xa2     Completed and updated several security plans.\n\nEven with these efforts, the independent evaluation identified significant weaknesses\nwith the base structure of NCUA\xe2\x80\x99s security program that impacts the security of all\n\n\n\n                                              1\n\x0c       OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n    COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                               Report # OIG-03-07\n\ninformation residing on the network. Overall, the evaluation determined that NCUA\xe2\x80\x99s\ninformation security program does not fully meet the minimum security requirements of\nthe Office of Management and Budget Circular A-130, Management of Federal\nResources, Appendix III, Security of Federal Automated Information Resources. Two\nsignificant deficiencies exist in the NCUA IT infrastructure.\n\nFirst, we noted several weaknesses related to the underlying general support systems\nand network. This is significant because every application relies on the security of the\noperating system on which it resides. Therefore if the underlying operating systems are\nnot secure, then the applications themselves cannot be assured of being secure.\n\nSecond, we determined that information stored on examiners\xe2\x80\x99 laptop computers is not\nadequately secured. Examiners frequently store credit union member personal financial\ninformation (credit union share and loan \xe2\x80\x9cdownloads\xe2\x80\x9d) on their laptop computers. We\nnoted during our review that the examiner laptops and the information stored on the\nlaptops were not considered in any system security plan or certification and\naccreditation document. In our judgment, this information is quite sensitive and\npresents a significant security risk. While we recognize that the likelihood of a security\nbreach involving this information is uncertain, the potential damage to credit unions and\ntheir members and to NCUA\xe2\x80\x99s reputation is quite significant. Accordingly, we believe\nthat any subsequent security plan or certification and accreditation document should\nconsider adequate safeguards for this information.\n\nWhile we noted other significant weaknesses in IT controls, we believe that the two\nconditions described above are the most significant to NCUA, and should be addressed\nas soon as possible by NCUA\xe2\x80\x99s Executive Director and CIO.\n\nIn October 2002, the CIO identified and reported 167 weaknesses to OMB in the\nNCUA\xe2\x80\x99s Plans of Action and Milestones (POA&M) report. Additionally, the independent\nevaluation supporting this report identified 12 new weaknesses and made specific\nrecommendations to address those weaknesses. The table below shows the current\nstatus of the weaknesses, along with the new recommendations identified in the\nindependent evaluation.\n\n                        Description                       Number of Weaknesses\n      Reported in NCUA\xe2\x80\x99s FY 2002 POA&M                            167\n      Completed/Implemented Fully During FY 2003                   45*\n      Partially Completed/Implemented                              46\n      New Weaknesses                                               12\n      FY 2002 Weaknesses Awaiting Implementation                   76\n      As of August, 2003\n\n*      Although OCIO reported 148 of the 165 weaknesses had been corrected in its July 1,\n2003, letter to OMB, we obtained documentation supporting only 45 corrective actions\ncompleted.\n\n\n\n                                             2\n\x0c    OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                            Report # OIG-03-07\n\n                     II.       OFFICE OF MANAGEMENT & BUDGET\n                                     REPORT FORMAT\nA. Overview of FISMA IT Security Reviews\n\nIn this section, the agency must respond to performance measures and may provide\nnarrative responses where appropriate.\nA.1. Identify the agency\xe2\x80\x99s total IT security spending and each individual major operating division or bureau\xe2\x80\x99s IT security spending\nas found in the agency\xe2\x80\x99s FY03 budget enacted. This should include critical infrastructure protection costs that apply to the\nprotection of government operations and assets. Do not include funding for critical infrastructure protection pertaining to lead\nagency responsibilities such as outreach to industry and the public.\n                                                                                                FY03 IT Security Spending         ($\nBureau Name                                                                                             in thousnds)\nNational Credit Union Administration (NCUA)                                                 N/A - OIG response not required\nAgency Total\n\n\n\nA.2a. Identify the total number of programs and systems in the agency, the total number of systems and programs reviewed by the\nprogram officials and CIOs in FY03, the total number of contractor operations or facilities, and the number of contractor\noperations or facilities reviewed in FY03. Additionally, IGs shall also identify the total number of programs, systems, and\ncontractor operations or facilities that they evaluated in FY03.\n\n                                                                                                                      FY03 Contractor\n                                                                        FY03 Programs         FY03 Systems         Operations or Facilities\n                                                                      Total  Number   Total            Number      Total         Number\nBureau Name                                                           Number Reviewed Number           Reviewed    Number        Reviewed\nNCUA                                                                         1          0         13        12*              4              4\nAgency Total                                                                 1          0         13         12              4              4\n\nb. For operations and assets under their control, have agency\nprogram officials and the agency CIO used appropriate methods\n(e.g., audits or inspections, agreed upon IT security\nrequirements for contractor provided services or services\nprovided by other agencies) to ensure that contractor provided\nservices or services provided by another agency for their\nprogram and systems are adequately secure and meet the\nrequirements of FISMA, OMB policy and NIST guidelines,\nnational security policy, and agency policy?                                   Yes                               No                 X\n                                                                      Sufficient due diligence was not performed to ensure services\n                                                                      provided by a payroll/personnel contract agency were adequately\nc. If yes, what methods are used? If no, please explain why.          secure.\nd. Did the agency use the NIST self-assessment guide to\nconduct its reviews?                                                          Yes             X                   No\ne. If the agency did not use the NIST self-assessment guide and\ninstead used an agency developed methodology, please confirm\nthat all elements of the NIST guide were addressed in the agency\nmethodology.                                                            Yes                              No\nf. Provide a brief update on the agency's work to develop an     NCUA is considering adding two systems to its inventory: Travel\ninventory of major IT systems.                                   Mgmt System and Corporate Exam System.\n\n* The OCIO reviewed all systems except the infrastructure and 5300.\nAs part of the independent evaluation, the OIG reviewed the\ninfrastructure, 5310, TAPS, CHRIS, and ESS. SAP, CLF, and\nCDRLF were reviewed as part of the financial statement audit.\n\n\n\n\n                                                          3\n\x0c    OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                            Report # OIG-03-07\n\n\n\nA.3. Identify all material weakness in policies, procedures, or practices as identified and required to be reported under existing\nlaw in FY03. Identify the number of material weaknesses repeated from FY02, describe each material weakness, and indicate\nwhether POA&Ms have been developed for all of the material weaknesses.\n\n                                                                                     FY03 Material Weaknesses\n                                                                      Total Number                                              POA&Ms\n                                                            Total     Repeated from      Identify and Describe Each Material   developed?\nBureau Name                                                Number         FY02                        Weakness                    Y/N\nNCUA                                                          2             1           Network not certified                      Y\n                                                                                        Sensitive credit union member data\n                                                                                        needs better protection                    N\nAgency Total\n\n\n\n\nA.4. This question is for IGs only. Please assess whether the agency has\ndeveloped, implemented, and is managing an agency-wide plan of action and\nmilestone process that meets the criteria below. Where appropriate, please\ninclude additional explanation in the column next to each criteria.                     Yes                       No\nAgency program officials develop, implement, and manage POA&Ms for every system\nthat they own and operate (systems that support their programs) that has an IT\nsecurity weakness.                                                                                  X\nAgency program officials report to the CIO on a regular basis (at least quarterly) on\ntheir remediation progress.                                                                         X\nAgency CIO develops, implements, and manages POA&Ms for every system that they\nown and operate (systems that support their programs) that has an IT security\nweakness.                                                                                           X\nThe agency CIO centrally tracks and maintains all POA&M activities on at least a\nquarterly basis.                                                                                    X\nThe POA&M is the authoritative agency and IG management tool to identify and\nmonitor agency actions for correcting information and IT security weaknesses.                       X\nSystem-level POA&Ms are tied directly to the system budget request through the IT\nbusiness case as required in OMB budget guidance (Circular A-11) to tie the\njustification for IT security funds to the budget process.                                         N/A\nAgency IGs are an integral part of the POA&M process and have access to agency\nPOA&Ms.                                                                                             X\n\nThe agency's POA&M process represents a prioritization of agency IT security\nweaknesses that ensures that significant IT security weaknesses are addressed in a\ntimely manner and receive, where necessary, appropriate resources.                                                             X\n\n\nAlthough NCUA tracks security weaknesses using the POAM, the POAM process needs to be\nbetter managed:\n    o   Recommendations found in the POAM were not prioritized.\n    o   Documentation was not available to demonstrate implementation of recommendations.\n    o   The POAM indicated some recommendations were implemented where risk based\n        decisions were made to not implement the recommendation.\n\n\n\n\n                                                          4\n\x0c    OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                            Report # OIG-03-07\n\nB. Responsibilities of Agency Head\n\nIn this section, the agency must respond to performance measures and may provide\nnarrative responses where appropriate to the following questions:\n\n\nB.1. Identify and describe any specific steps taken by the agency head to clearly and       NCUA Instruction 13500.4, dated Feb 21,\nunambiguously set forth FISMA's responsibilities and authorities for the agency CIO         2002, delegates security authority to the CIO\nand program officials. Specifically how are such steps implemented and enforced?            and respective designees.\n                                                                                            Although managers have discretionary\n                                                                                            budget authority over their respective\nB.2. Can a major operating component of the agency make an IT investment decision           operations, the final integration of systems is\nwithout review by and concurrence of the agency CIO?                                        approved by the CIO.\n                                                                                            The Executive Director (ED) delegated the\nB.3. How does the head of the agency ensure that the agency\xe2\x80\x99s information security          oversight of the security program to the\nplan is practiced throughout the life cycle of each agency system?                          Deputy ED.\n                                                                                            Although the CIO reports to the Executive\nB.4. During the reporting period, did the agency head take any specific and direct          Director (ED) on IT matters, the ED has not\nactions to oversee the performance of 1) agency program officials and 2) the CIO to         developed a specific requirement for the CIO\nverify that such officials are ensuring that security plans are up-to-date and practiced    or program officials to report on the\nthroughout the lifecycle of each system? Please describe.                                   effectiveness of the security program.\n\n\n                                                                                            NCUA does not have any critical\nB.5. Has the agency integrated its information and information technology security          infrastructure responsibilities. Although\nprogram with its critical infrastructure protection responsibilities, and other security    NCUA has coordinated physical security with\nprograms (e.g., continuity of operations, and physical and operational security)?           the Div of Procurement and Facilities, we\nPlease describe.                                                                            made recommendations for improvement.\n\n\n                                                                                            Since NCUA is a small agency, there is only\nB.6. Does the agency have separate staffs devoted to other security programs, are           one position, the Information Security Officer,\nsuch programs under the authority of different agency officials, if so what specific        dedicated full-time to the information security\nefforts have been taken by the agency head or other officials to eliminate unnecessary      program. The Div of Procurement and\nduplication of overhead costs and ensure that policies and procedures are consistent        Facilities has responsibility for physical\nand complimentary across the various programs and disciplines?                              security and coordinates with the OCIO.\n\nB.7. Identification of agency's critical operations and assets (both national critical operations and assets and mission critical) and\nthe interdependencies and interrelationships of those operations and assets.\na. Has the agency fully identified its national critical operations and assets?                Yes           N/A     No            N/A\nb. Has the agency fully identified the interdependencies and interrelationships of those\nnationally critical operations and assets?                                                     Yes           N/A     No            N/A\nc. Has the agency fully identified its mission critical operations and assets?                 Yes                   No             X\nd. Has the agency fully identified the interdependencies and interrelationships of those\nmission critical operations and assets?                                                        Yes                   No             X\ne. If yes, describe the steps the agency has taken as a result of the review.\n\n                                                                                               The ISO plans to perform a review of\n                                                                                               mission critical systems and\nf. If no, please explain why.                                                                  interrelationships during the next year.\n\n\n\n\n                                                          5\n\x0c   OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                           Report # OIG-03-07\n\n\n\nB.8. How does the agency head ensure that the agency, including all components, has documented procedures for reporting\nsecurity incidents and sharing information regarding common vulnerabilities?\na. Identify and describe the procedures for external reporting to law\nenforcement authorities and to the Federal Computer Incident Response        The ISO has responsibility for communicating incidents\nCenter (FedCIRC).                                                            to FedCIRC.\nb. Total number of agency components or bureaus.                                                        1\nc. Number of agency components with incident handling and response\ncapability.                                                                                             1\nd. Number of agency components that report to FedCIRC.                                                  1\ne. Does the agency and its major components share incident information\nwith FedCIRC in a timely manner consistent with FedCIRC and OMB\nguidance?                                                                                               Y\nf. What is the required average time to report to the agency and FedCIRC\nfollowing an incident?                                                                           24 hours\ng. How does the agency, including the programs within major components, OCIO does not have a policy regarding patches. OCIO\nconfirm that patches have been tested and installed in a timely manner?  activated Qualys to identify patches, configuration\n                                                                         problems, and known vulnerabilities.\nh. Is the agency a member of the Patch Authentication and Distribution\nCapability operated by FedCIRC?                                          Yes                  X        No\n\ni. If yes, how many active users does the agency have for this service?                             1 - The ISO\nj. Has the agency developed and complied with specific configuration\nrequirements that meet their own needs?                                          Yes                     No                    X\nk. Do these configuration requirements address patching of security\nvulnerabilities?                                                                 Yes                     No                    X\n\n\n\nB.9. Identify by bureau, the number of incidents (e.g., successful and unsuccessful network penetrations, root or user account\ncompromises, denial of service attacks, website defacing attacks, malicious code and virus, probes and scans, password access)\nreported and those reported to FedCIRC or law enforcement.\n\n                                                            Number of incidents reported       Number of incidents reported\nBureau Name            Number of incidents reported         externally to FedCIRC              externally to law enforcement\nNCUA                                     1                                   1                                    1\n\n\n\n\n                                                       6\n\x0c    OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                            Report # OIG-03-07\n\nC. Responsibilities of Agency Program Officials and Agency Chief Information\nOfficers\n\nIn this section, the agency must respond to performance measures and may provide\nnarrative responses where appropriate to identify and describe the performance of agency\nprogram officials and the agency CIO in fulfilling their IT security responsibilities.\n\nC.1. Have agency program officials and the agency CIO: 1) assessed the risk to operations and assets under their control; 2)\ndetermined the level of security appropriate to protect such operations and assets; 3) maintained an up-to-date security plan\n(that is practiced throughout the life cycle) for each system supporting the operations and assets under their control; and 4)\ntested and evaluated security controls and techniques? By each major agency component and aggregated into an agency total,\nidentify actual performance in FY03 according to the measures and in the format provided below for the number and\npercentage of total systems.\n\n\n                                                                                           g. Number\n                                                                                           of systems\n                                            d. Number                   f. Number of       for which\n                        c. Number of        of systems                  systems with       security                       i. Number of\n                        systems             that have                   security           controls                       systems for\n                        assessed for        an up-to-     e. Number of control costs       have been       h. Number of   which\n                        risk and            date IT       systems       integrated into    tested and      systems with a contingency\n                        assigned a level    security      certified and the life cycle     evaluated in    contingency    plans have\na.       b. Total       or risk             plan          accredited    of the system      the last year   plan           been tested\nBureau   Number of       No. of     % of\nName     Systems        Systems   Systems    No.    %      No.       %     No.      %       No.     %       No.      %       No.        %\n\nNCUA               13        11      85%       11   85%          8   62%     13     100%      11    85%        12     92%           1   8%\n\n\nAgency\nTotal              13        11      85%       11   85%          8   62%     13     100%       11   85%        12     92%           1    8%\n\n\nSome of the above statistics are based on input from the ISO and have not been verified. As part\nof the independent evaluation and OIG rotational review of systems, the infrastructure and four\napplications were reviewed during 2003.\n\n\nC.2. Identify whether the agency CIO has adequately maintained an agency-wide IT security program and ensured the\neffective implementation of the program and evaluated the performance of major agency components.\n\n                                                                                     Has the agency CIO             Do agency POA&Ms\nHas the agency CIO                                  How does the agency              appointed a senior             account for all known\nmaintained an agency-     Did the CIO evaluate the  CIO ensure that bureaus          agency information             agency security\nwide IT security          performance of all agency comply with the agency-          security officer per the       weaknesses including all\nprogram? Y/N              bureaus/components? Y/N wide IT security program?          requirements in FISMA?         components?\n           N                            N                   Delegation to the ISO                   Y                           N\n\n\n\nAlthough the CIO developed an agency-wide security program, it has not been updated during\nthe past year to reflect changes in the infrastructure or security weaknesses identified. In\naddition, the CIO has not certified its infrastructure or the 5300 system.\n\nThe agency POAMs were not updated to reflect IT security weaknesses identified during the\nfinancial statement audit. In addition, the ISO plans to include weaknesses recently identified\nduring the certification process in the October 2003 POAM.\n\n\n                                                                 7\n\x0c    OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2003\n                            Report # OIG-03-07\n\n\n\nC.3. Has the agency CIO ensured security training and awareness of all agency employees, including contractors and those\nemployees with significant IT security responsibilities?\n\n                                                            Agency employees with\nTotal                               Total number of         significant security\nnumber of   Agency employees that   agency employees        responsibilities that                                                  Total costs\nagency      received IT security    with significant IT     received specialized                                                   for providing\nemployees   training in FY03        security                training                                                               training in\nin FY03     Number Percentage       responsibilities        Number         Percentage Briefly describe training provided           FY03\n    963       230        24%                  18                  11           61%    Conferences and in-house training                   $4,810\n\n\n\nThe above statistics were provided by the ISO and have not been verified. However, the OIG\nattended training presented by the CIO that included security aspects related to new notebooks\ndistributed in early 2003.\n\n\nC.4. Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and investment control process? Were IT\nsecurity requirements and costs reported on every FY05 business case (as well as in the exhibit 53) submitted by the agency to\nOMB?\n\n                                      Did the agency program official        Did the agency CIO plan and            Are IT security costs\n             Number of business       plan and budget for IT security and    budget for IT security and             reported in the agency's\nBureau       cases submitted to       integrate security into all of their   integrate security into all of their   exhibit 53 for each IT\nName         OMB in FY05              business cases? Y/N                    business cases? Y/N                    investment? Y/N\nNCUA                  N/A                             N/A                                    N/A                                 N/A\n\n\n\nAlthough NCUA is not required to complete a capital asset plan with its budget submission to\nOMB, NCUA intends to incorporate security with its strategic plan and enterprise architecture.\nSince a significant portion of NCUA\xe2\x80\x99s information security is handled by the infrastructure, NCUA\nhas not taken any steps to integrate security funding at the system level.\n\n\n\n\n                                                            8\n\x0c"